slush (OP)
Legendary
 Offline
Activity: 1386
Merit: 1097
|
 |
April 24, 2013, 12:08:43 AM |
|
Also, just as an FYI, i do network security in a completely different sector, but the attacks are usually the same. The "sneak forwarding" is a common targeted attack.
I cross-checked my mailbox setup and no forwarding is configured here. For now I fully blame OVH for this issue. |
|
|
|
TiborB
Member
Offline
Activity: 83
Merit: 10
|
|
April 24, 2013, 12:10:36 AM |
|
Stratum is back, great job!
Cheers,
T
Way to never read anything before making your post... keep living the dream. I know you will never read this Can you please shed some light on this comment? |
|
|
|
|
|
laughingbear
|
|
April 24, 2013, 12:13:46 AM |
|
Stratum is back, great job!
Cheers,
T
Way to never read anything before making your post... keep living the dream. I know you will never read this Can you please shed some light on this comment? I doubt it |
|
|
|
|
|
gbx
|
|
April 24, 2013, 12:16:56 AM |
|
Also, just as an FYI, i do network security in a completely different sector, but the attacks are usually the same. The "sneak forwarding" is a common targeted attack.
I cross-checked my mailbox setup and no forwarding is configured here. For now I fully blame OVH for this issue. Interesting analysis. Is it possible that the algo for the OTP is "known" ? So the attacker would simply have to know what the next OTP password is once it's been submitted? |
|
|
|
|
slush (OP)
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
April 24, 2013, 12:18:13 AM |
|
Pool just found new block. Because database isn't running and shares are not stored, I'll spread blocks mined during database outage to miners who'll continue mining on the pool since the database will be up again.
|
|
|
|
TiborB
Member
Offline
Activity: 83
Merit: 10
|
|
April 24, 2013, 12:19:27 AM |
|
Stratum is back, great job!
Cheers,
T
Way to never read anything before making your post... keep living the dream. I know you will never read this Can you please shed some light on this comment? I doubt it If I agreed with you, we both would be wrong. Never mind, no offence taken on my side whatsoever. |
|
|
|
|
TiborB
Member
Offline
Activity: 83
Merit: 10
|
|
April 24, 2013, 12:21:48 AM |
|
Also, just as an FYI, i do network security in a completely different sector, but the attacks are usually the same. The "sneak forwarding" is a common targeted attack.
I cross-checked my mailbox setup and no forwarding is configured here. For now I fully blame OVH for this issue. Interesting analysis. Is it possible that the algo for the OTP is "known" ? So the attacker would simply have to know what the next OTP password is once it's been submitted? I'd guess he is using a vasco or rsa token with appropriate key size... |
|
|
|
|
|
Lucko
|
|
April 24, 2013, 12:26:26 AM |
|
Pool just found new block. Because database isn't running and shares are not stored, I'll spread blocks mined during database outage to miners who'll continue mining on the pool since the database will be up again.
We are mining again? You told us tomorrow... Well I guess today morning but because I read tomorrow I removed your pool from config because I thought the stratum might come up hacked... I'm adding them again but for the last block you might use data that you have... It was a long one and I would hate to be lousing everything because of that... |
|
|
|
|
slush (OP)
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
April 24, 2013, 12:27:58 AM |
|
For now it is mining on OVH machine, but now I'm migrating DNS to EC2 machines, which are trusted.
|
|
|
|
phazedoubt
Newbie
Offline
Activity: 18
Merit: 0
|
|
April 24, 2013, 12:29:17 AM |
|
Also, just as an FYI, i do network security in a completely different sector, but the attacks are usually the same. The "sneak forwarding" is a common targeted attack.
I cross-checked my mailbox setup and no forwarding is configured here. For now I fully blame OVH for this issue. Interesting analysis. Is it possible that the algo for the OTP is "known" ? So the attacker would simply have to know what the next OTP password is once it's been submitted? I'd guess he is using a vasco or rsa token with appropriate key size... Nothing so elaborate. You'd be amazed at the power that an administrator can wield. Your server security is only as strong as those that have physical access to them honoring their word. Occam's razor applies greatly when it comes to hacking. |
|
|
|
|
TiborB
Member
Offline
Activity: 83
Merit: 10
|
|
April 24, 2013, 12:32:56 AM |
|
Also, just as an FYI, i do network security in a completely different sector, but the attacks are usually the same. The "sneak forwarding" is a common targeted attack.
I cross-checked my mailbox setup and no forwarding is configured here. For now I fully blame OVH for this issue. Interesting analysis. Is it possible that the algo for the OTP is "known" ? So the attacker would simply have to know what the next OTP password is once it's been submitted? I'd guess he is using a vasco or rsa token with appropriate key size... Nothing so elaborate. You'd be amazed at the power that an administrator can wield. Your server security is only as strong as those that have physical access to them honoring their word. Occam's razor applies greatly when it comes to hacking. You are absolutely right. The point was merely there is no need to predict the next OTP. Especially with Trudy having physical access. |
|
|
|
|
slush (OP)
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
April 24, 2013, 12:37:14 AM |
|
You are absolutely right. The point was merely there is no need to predict the next OTP. Especially with Trudy having physical access.
Not only that I take physical security seriously, but there're no indicator that the attacker has a real access to the mailbox. Password to OVH has been changed for second time after I changed the password to the email and after I cross-checked that I keep the only active session to the mailserver. After this, even the knowledge of OTP private key won't give an access to the mailbox to attacker. |
|
|
|
phazedoubt
Newbie
Offline
Activity: 18
Merit: 0
|
|
April 24, 2013, 12:41:14 AM |
|
Also, just as an FYI, i do network security in a completely different sector, but the attacks are usually the same. The "sneak forwarding" is a common targeted attack.
I cross-checked my mailbox setup and no forwarding is configured here. For now I fully blame OVH for this issue. Interesting analysis. Is it possible that the algo for the OTP is "known" ? So the attacker would simply have to know what the next OTP password is once it's been submitted? I'd guess he is using a vasco or rsa token with appropriate key size... Nothing so elaborate. You'd be amazed at the power that an administrator can wield. Your server security is only as strong as those that have physical access to them honoring their word. Occam's razor applies greatly when it comes to hacking. You are absolutely right. The point was merely there is no need to predict the next OTP. Especially with Trudy having physical access. Exactly. Not to get to far off topic, but just today i was asked to "hack" into a windows 2003 exchange server for a mew customer that was wanting to get rid of his now previous third party IT provider without asking for the admin passwords. I was able to gain access within an hour with physical access. Hopefully when you move Slush, it will be to a much more neutral site with stricter internal protocols... working on the assumption that this was an internal job and that the move should solve the problem. |
|
|
|
|
dtown
Newbie
Offline
Activity: 38
Merit: 0
|
|
April 24, 2013, 12:46:38 AM |
|
Let us know when you have a new IP even if DNS isn't ready.
Thanks for doing all of this Slush. I know it's supposed to be sleepy time for you
|
|
|
|
|
patnor1011
Member
Offline
Activity: 114
Merit: 100
|
|
April 24, 2013, 12:47:07 AM |
|
If I can only find out if my workers are up and running, left everything on and went to work. Wife is sound asleep and without site up I cant check but I presume that since they were up and on stratum before everything happened then I should be still mining.  |
|
|
|
|
slush (OP)
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
April 24, 2013, 01:00:00 AM |
|
If I can only find out if my workers are up and running, left everything on and went to work. Wife is sound asleep and without site up I cant check but I presume that since they were up and on stratum before everything happened then I should be still mining. If you see workers hashing on Stratum, they should be fine. I'll keep site offline because with database down it won't display anything useful. |
|
|
|
|
mikegogulski
|
|
April 24, 2013, 01:03:18 AM |
|
The pool has been hacked.
Very sorry to hear it. What a pain in the ass! |
|
|
|
|
nybbler905
|
|
April 24, 2013, 01:10:58 AM |
|
Nice work getting control back ( took me a while to read all that happened in the last 2 hours since i was on getwork and my pc had to restart due to a breaker blowing... Darn you pressure washers on the same circuit!!!! )
Would not hurt to open the confirm mail and check to see if, in the full headder, there is any Blind Carbon Copy sends which would mean that the whole server system may have been compromised and Slush's server was the most tasty treat to get at first.
Didn't do a reverse DNS to see who/where the host is but.... have a friend that was IT for schools in Alberta and he showed me how easy it was to monitor ANY mail in the schools from one of the IT desktops and ' force ' it to do blind carbon copies. Technically not in the server room, but in the base domain addresses ( for those at home, same side of the router ).
My personal experience in this kind of attack is usually reading about it in forums....
Hope this is the last of it and I'm 1/10th of the way to a half decent GPU mining card and hope to get decent hash/shares soon.
|
Always looking for donations even as low as 1uBTC
14XfpYPdtYiGoEiDcKrSzuvBM3ukhwANUh - BTC
LS7FEfu9ajp3NQcDjui9TSKscwQesj9i8k - LTC
LHe9g5ixMyfdtqAEHU5vErG1eQrDshBFRW -Luckycoin
|
|
|
|
apetersson
|
|
April 24, 2013, 01:11:11 AM |
|
apparently, if you don't hold it you don't own it is true for servers as well  |
|
|
|
|
hugheser
Newbie
Offline
Activity: 8
Merit: 0
|
|
April 24, 2013, 01:16:21 AM |
|
Its just nice to see the guy in charge actively posting with users. Ive only been mining for a few weeks but other pools don't know what they are missing.
Keep the luck coming. I need to fund a serious BeerBQ at the end of may solely on BTC.
|
|
|
|
|
|
